Coronavirus sparks phishing, disinformation, tabletop exercises and handwashing

It’s hard to tell who’s benefitting most from the coronavirus – Russia, hackers or hand sanitizer vendors, the latter of whom are at least trying to help stop the spread of the dangerous disease.

A State Department official told Congress Thursday that Russian operatives are behind coronavirus conspiracy theories popping up on social media while the new illness has prompted phishing campaigns and other cybersecurity hijinks.

The coordinator for the State Department’s Global Engagement Center, Lea Gabrielle, said the “entire ecosystem of Russian disinformation is at play,” after an analysis of millions of tweets showed that known conspiracy theories about coronavirus “amounted to about seven percent of the Twitter conversation” between January 10 to February 20.

Some of the usual bad actors are looking to capitalize on fears over the virus. Check Point reported that “the most prominent Coronavirus-themed campaign targeted Japan, distributing Emotet – the leading malware type for the fourth month running – in malicious email attachments feigning to be sent by a Japanese disability welfare service provider” with the emails appearing “to be reporting where the infection is spreading in several Japanese cities, encouraging the victim to open the document which, if opened, attempts to download Emotet on their computer.”

Trickbot’s operators trained their efforts on Italy, where coronavirus has spread to 3,800 people with 148 deaths reported.  Recent messages aimed at Italian email addresses carry “a document purported to be a list of precautions to take to prevent infection” but is actually “a weaponized Word document, carrying a Visual Basic for Applications (VBA) script that carries a dropper used to deliver a new Trickbot variant,” Sean Gallagher, senior threat researcher at Sophos, wrote in a blog post. “With concerns about COVID-19 on the rise – particularly in Italy, where cases are surging – the spam campaign’s subject line is now in tune with the concerns of the day.

The emails, purporting to be from “Dr. Penelope Marchetti” read:

Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!

Proofpoint, which has seen an uptick in activity around Coronavirus, wrote in a blog post that “the most notable developments we’ve seen are attacks that leverage conspiracy theory-based fears around purported unreleased cures for Coronavirus and campaigns that abuse perceived legitimate sources of health information to manipulate users.”

In an in-person interview on February 11, Sherrod DeGrippo, senior director of threat research and detection, told SC Media that the company is now seeing a new coronavirus email phishing campaign “every couple of days,” and predicted that more will come.

So far, the campaigns have tended to use a mix of lures, some of which are coronavirus-themed, while others are more conventionally designed to look like fake invoices, shipping receipts and résumés. Some have exclusively targeted health care professionals, while others have targeted shipping companies and operators of large freighter fleets, she continued.

“What’s helping [the cybercriminals] is that a lot of HR departments are sending out coronavirus updates for their workforce,” instructing employees to stay home if they are sick, for example. So the phishing emails are “mixing in with the legit HR coronavirus warnings and that makes it harder to tell [the difference] and I think that that’s part of what the threat actor motivation is: ‘Well, we knowyou’re getting a legit one, so we’re gonna send one with malware too.”

IBM Security has noted scams related to the virus since January and a Check Point report revealed registration of domains related to coronavirus has risen, with the company noting in a Thursday blog post that “Coronavirus- related domains are 50 [percent] more likely to be malicious than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s Day.”

While cybersecurity pros track malicious incidents and health officials as well as an anxious public mull the potential human toll of the coronavirus and ways to mitigate its impact, organizations are planning for the stress on resources, security challenges and even privacy issues wrought by a pandemic that, among other things, provokes widespread telecommuting.

John Dickson, principal at The Denim Group, told SC Media during a podcast that his company was slated to hold a tabletop exercise to test its computing resources after Dickson returned to the company’s San Antonio, Texas, headquarters in the aftermath of the RSA Conference that AT&T, IBM, Verizon and a slew of other companies had skipped due to coronavirus fears.

“What’s the impact on VPN concentrators,” for example, when everyone is working remotely, Dickson asked. Businesses are really good at using apps like Zoom and WebEx for optimization but mass teleworking will test whether it’s a sustainable model.

JP Morgan Chase this week ordered 10 percent of the employees in its more than 127,000-person strong consumer banking division to stay home, not to avoid spreading the virus but to test its Project Kennedy coronavirus contingency plan.

Companies that aren’t already thinking about business continuity and disaster recovery plans “or doing tabletops on this impact are probably already behind the power curve,” Dickson said.

They’re also likely experiencing “much more of a panic” than those that have properly prepared, Malcolm Harkins, chief security and trust officer at Cymatic, told SC Media during a podcast. While at Intel, Harkins worked on a number of such plans for pandemics and disasters like SARS, Ebola and the earthquake and tsunami in Japan several years back. Those strategies intertwined infosecurity, physical, logical, corporate emergency management, business continuity and disaster recovery.

“It all gets back to risk management,” Harkins said. While companies can’t control pandemics or other disasters, “you can prepare for them."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.